Re: [pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter

Mon, 06 Apr 2020 04:55:26 -0700 



On 4/6/20 1:39 PM, Thomas Lamprecht wrote:

On 4/6/20 1:31 PM, Dominik Csapak wrote:

this can be used to test the resulting config before actually changing
anything


I mean we print all action out already, I explicitly changed the task log
to avoid printing "delete user" if it would be re-added again, so my idea
for the dry run was to just omit the cfs write and print a not about the
sync being a dry run one at the end?

You do not get extra information when printing everything, or?


well yes actually, you can see the information about the properties
which you could not before (e.g. a users email, etc.)
we could of course simply print all properties, but i found this
approach a little better, since an admin can now see what would really
get written out to the config



Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
  PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
  1 file changed, 46 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index b42d4f6..1a5700e 100644
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -341,6 +341,33 @@ my $update_groups = sub {
      }
  };

  
+my $print_users_and_groups = sub {

+    my ($config, $realm, $scope) = @_;
+
+    my $tmp_config = {
+       users => {},
+       groups => {},
+    };
+
+    if ($scope eq 'users' || $scope eq 'both') {
+       foreach my $userid (sort keys %{$config->{users}}) {
+           next if $userid !~ m/\@$realm$/;
+           $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
+       }
+    }
+    if ($scope eq 'groups' || $scope eq 'both') {
+       foreach my $groupid (sort keys %{$config->{groups}}) {
+           next if $groupid !~ m/-$realm$/;
+           $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
+       }
+    }
+
+    my $res = PVE::AccessControl::write_user_config("", $tmp_config);
+    $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
+    $res =~ s/^\n+//m; # remove preceding empty lines
+    print $res;
+};
+
  my $parse_sync_opts = sub {
      my ($param, $realmconfig) = @_;

  
@@ -386,7 +413,13 @@ __PACKAGE__->register_method ({

        additionalProperties => 0,
        properties => get_standard_option('realm-sync-options', {
            realm => get_standard_option('realm'),
-       })
+           'no-write' => {
+               description => "If set, does not write anything.",
+               type => 'boolean',
+               optional => 1,
+               default => 0,
+           },
+       }),
      },
      returns => {
        description => 'Worker Task-UPID',
@@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $authuser = $rpcenv->get_user();

  
+	my $write = !(extract_param($param, 'no-write'));

+
        my $realm = $param->{realm};
        my $cfg = cfs_read_file($domainconfigfile);
        my $realmconfig = $cfg->{ids}->{$realm};
@@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
                    $update_groups->($usercfg, $realm, $synced_groups, $opts);
                }

  
-		cfs_write_file("user.cfg", $usercfg);

-               print "successfully updated $whatstring configuration\n";
+               cfs_write_file("user.cfg", $usercfg) if $write;
+               print "successfully updated $whatstring configuration\n" if 
$write;
+               if (!$write) {
+                   print "\nresulting user/group config lines:\n";
+                   print "-----------\n";
+                   $print_users_and_groups->($usercfg, $realm, $scope);
+                   print "-----------\n";
+               }
            }, "syncing $whatstring failed");
        };

  
-	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);

+       my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
+       return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
      }});

  
  1;






_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel






















					Reply via email to